Technologies and procedures for effectively securing cyberspace exist, but are largely underdeployed. One reason for this is that organizational - reward systems lack the proper incentives for decision-maker allocation of resources. We identify characteristics of differing stakeholder perceptions of security and privacy risks and integrate them in a decision making framework. We significantly revise the Fischhoff and Slovic model of risk perceptions --- introducing ordinal scales to the identified characteristics of risk perceptions, and incorporating the dynamics of perception by including the important and neglected time element. Over twelve months, we reviewed and verified the model with thirty five senior information security executives from industrial and governmental organizations. We present a methodology for identification of perverse incentives---situations where the interests of a manager or employee are not aligned with those of the organization; and how the policies and reward system may be modified to correct the mis-alignment.
Farahmand, Fariborz; Atallah, Mikhail; and Konsynski, Benn, "Incentives and Perceptions of Information Security Risks" (2008). ICIS 2008 Proceedings. 25.